From dcd09da317d9710c61000dbda5df2c9a6d59b1fb Mon Sep 17 00:00:00 2001 From: usa Date: Fri, 16 Feb 2018 16:21:44 +0000 Subject: [PATCH] Fix Unsafe Object Deserialization Vulnerability in gem owner. merge revision(s) 58471,58493,62436: [Backport #13505] load.c: backtrace of circular require * load.c (load_lock): print backtrace of circular require via `Warning.warn` [ruby-core:80850] [Bug #13505] Send the backtrace of the circular require warning as a single String to Warning.warn * load.c: send as a single string. * error.c: expose the string formatted by rb_warning as rb_warning_string(). * test/ruby/test_exception.rb: update tests. [ruby-core:80850] [Bug #13505] fix regexp literal warning. * test/rubygems/test_gem_server.rb: eliminate duplicated character class warning. [Bug #14481] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@62439 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- lib/rubygems/commands/owner_command.rb | 2 +- .../test_gem_commands_owner_command.rb | 24 +++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/lib/rubygems/commands/owner_command.rb b/lib/rubygems/commands/owner_command.rb index 11e6e026fd..df64f41e59 100644 --- a/lib/rubygems/commands/owner_command.rb +++ b/lib/rubygems/commands/owner_command.rb @@ -48,7 +48,7 @@ class Gem::Commands::OwnerCommand < Gem::Command end with_response response do |resp| - owners = YAML.load resp.body + owners = Gem::SafeYAML.load resp.body say "Owners for gem: #{name}" owners.each do |owner| diff --git a/test/rubygems/test_gem_commands_owner_command.rb b/test/rubygems/test_gem_commands_owner_command.rb index dfbc2572dc..22272d4a22 100644 --- a/test/rubygems/test_gem_commands_owner_command.rb +++ b/test/rubygems/test_gem_commands_owner_command.rb @@ -34,6 +34,30 @@ EOF assert_match %r{- user2@example.com}, @ui.output end + def test_show_owners_dont_load_objects + skip "testing a psych-only API" unless defined?(::Psych::DisallowedClass) + + response = <